Re: tzdata AVC
On 10/27/2010 12:28 PM, Tony Molloy wrote:
Hi,
I'm running SELinux in enforcing mode on fully updated CentOS-5 servers.
selinux-policy-2.4.6-279.el5_5.1.noarch
After the latest "possibly glibc" update I've seen the following AVC on
several of my servers.
Summary:
SELinux is preventing tzdata-update (tzdata_t) "getattr" to / (fs_t).
Detailed Description:
SELinux denied access requested by tzdata-update. It is not expected that this
access is required by tzdata-update and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context root:system_r:tzdata_t:SystemLow-SystemHigh
Target Context system_u:object_r:fs_t
Target Objects / [ filesystem ]
Source tzdata-update
Source Path <Unknown>
Port <Unknown>
Host remote-backup.x.y.z
Source RPM Packages
Target RPM Packages filesystem-2.4.0-3.el5
Policy RPM selinux-policy-2.4.6-279.el5_5.1
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name remote-backup.x.y.z
Platform Linux remote-backup.x.y.z 2.6.18-194.17.1.el5
#1 SMP Wed Sep 29 12:50:31 EDT 2010 x86_64
x86_64
Alert Count 3
First Seen Fri Oct 22 06:31:14 2010
Last Seen Wed Oct 27 06:39:14 2010
Local ID ec15ac2d-b644-40fb-809a-2b3809b001e5
Line Numbers
Raw Audit Messages
host=remote-backup.csis.ul.ie type=AVC msg=audit(1288157954.817:16502): avc:
denied { getattr } for pid=2135 comm="tzdata-update" name="/"
dev=sda5 ino=2
scontext=root:system_r:tzdata_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
This was fixed in fedora but looks like the fix was not back ported to el5:
mkdir ~/mytzdata; cd ~/mytzdata;
echo "policy_module(mytzdata, 1.0.0) gen_require(\` type tzdata_t; ')
fs_getattr_xattr_fs(tzdata_t)" > mytzdata.te;
make -f /usr/share/selinux/devel/Makefile mytzdata.pp
sudo semodule -i mytzdata.pp
... should fix it
Regards,
Tony
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachments:
- signature.asc (application/pgp-signature — 261 bytes)